Service providers, including law and consultancy firms, require the same due diligence that you would focus on suppliers involved in the making of a product. In particular, the legal sector holds vast quantities of sensitive corporate data that hackers can target, putting them at risk of a cyberattack. They are also often easy prey because many law firms use outdated IT systems and have been slow to adopt security policies.
Likewise, manufacturing companies are behind the curve in terms of their cyber protections relative to other industries. The financial services and technology sectors have relied on connected IT systems for years, making them more attuned to — and better prepared for — cyberattacks. Manufacturing companies need to strengthen their defenses as they embrace Industry 4.0 and begin to link their operations to the internet to improve output and productivity.
The other challenges are more conceptual. The dangers of cyberattacks are often under-appreciated, with executives bemoaning the high costs of security protections. One reason is that some breaches don’t have to be made public and therefore go unreported, creating a false sense of security among business leaders.
This comes as the perpetrators of cybercrime are becoming increasingly sophisticated — ranging from private criminal groups to state-backed hackers, who can cause major disruptions and have a large financial impact on multinationals.
This happened in 2017 when the two consumer goods giants, Mondelez International and Reckitt Benckiser, were hit by the Petya malware that infected their organizations and disrupted operations and earnings. Mondelez, which makes Oreo cookies and Cadbury chocolates, took a financial hit of more than $100m.
Beyond that, a growing issue for manufacturers is intellectual property (IP) crime — when hackers steal and sell patents, trademarks, or industrial designs to third parties, or use them to make counterfeit goods for sale on the black market. The threat to IP can also come from within organizations: employees unintentionally sharing private data on unsecure networks, deliberately stealing data for commercial gain, or seeking revenge on an employer they resent.
In this environment, companies need to create layers of defenses around not only their technology but their people. Most breaches come down to human error, omission or negligence. In “smart factories”, special attention must be paid to production engineers, who are designing, building and maintaining all the systems, including automated machines.
Every connected device on the factory floor should be linked securely to the on-site gateway that receives their data, in order to prevent network access from people without permission. Unfortunately, devices are rarely secured, with many owners continuing to use default passwords. Given that these are usually simple and publicly documented, default passwords give hackers a simple route into the corporate network.
Clearly, strong cybersecurity education is a must. However, smaller suppliers seldom have the budget or expertise to deliver this training. So companies may need to support their supplier network by offering education themselves, in order to manage the upstream risk in the supply chain. As well as this, the providers of technologies for automation also have a role to play in advising customers about the right protections, so they can use their systems with confidence.
In the years ahead, more manufacturing companies are likely to automate and digitize production processes to boost their competitiveness. But they will need the right protections in place to mitigate the growing cyber-risk to supply chains.